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Abstract. In this paper, we consider the problem of translating LTL 
formulas to Biichi automata. We first translate the given LTL formula 
into a special disjuctive-normal form (DNF) . The formula will be part of 
the state, and its DNF normal form specifies the atomic properties that 
should hold immediately (labels of the transitions) and the formula that 
should hold afterwards (the corresponding successor state). Surprisingly, 
if the given formula is Until-free or Release-free, the Biichi automaton 
can be obtained directly in this manner. For a general formula, the con- 
struction is slightly involved: an additional component will be needed for 
each formula that helps us to identify the set of accepting states. Notably, 
our construction is an on-the-fly construction, and the resulting Biichi 
automaton has in worst case 2 2n+1 states where n denotes the number 
of subformulas. Moreover, it has a better bound 2 n+1 when the formula 
is Until- (or Release-) free. 



1 Introduction 

Translating Linear Temporal Logic (LTL) formulas to their equivalent automata 
(usually Biichi automata) has been studied for nearly thirty years. This trans- 
lation plays a key role in the automata-based model checking [T3]: here the 
automaton of the negation of the LTL property is first constructed, then the 
verification process is reduced to the emptiness problem of the product. Gerth 
et al. J6j proposed an on-the-fly construction approach to generating Biichi au- 
tomata from LTL formulas, which means that the counterexample can be de- 
tected even only a part of the property automaton is generated. They called it a 
tableau construction approach, which became widely used and many subsequent 
works |10l7l2l4fT] for optimizing the automata under construction are based on 
it. 

In this paper, we propose a novel construction by making use of the notion of 
disjuctive-normal forms (DNF). For an LTL formula tp, its DNF normal form is 
an equivalent formula of the form Vi( a « A Xipi) where on is a finite conjunction 
of literals (atomic propositions or their negations), and ipi is a conjunctive LTL 
formula such that the root operator of it is not a disjunction. We show that any 



LTL formula can be transformed into an equivalent DNF normal form, and refer 
to a.i A Xifi as a clause of tp. It is easy to see that any given LTL formula induces 
a labelled transition system (LTS): states correspond to formulas, and we assign 
a transition from ip to tpi labelled with a<j, if 014 A Xtfi appears as a part of the 
DNF form of tp. Figure [l] demonstrates our idea in which the transition labels 
are omitted. 




The LTS is the starting point of our construction. Surprisingly, for Until-free 
(or Release-free) formulas, the Biichi automaton can be obtained directly by 
equipping the above LTS with the set of accepting states, which is illustrated 
as follows. Consider the formula allb, whose DNF form is (b A X(True)) V (a A 
X(aUb)). The corresponding Biichi automaton for allb is shown in Figure [2] 
where nodes allb and True represent formulas aUb and True respectively. The 
transitions are self-explained. By semantics, we know that if the run £ satisfies a 
Release-free formula tp, then there must be a finite satisfying prefix 77 of £ such 
that any paths starting with 77 satisfy tp as well. Thus, for this class of formulas, 
the state corresponding to the formula True is considered as the single accepting 
state. The Until-free formulas can be treated in a similar way by taking the set 
of all states as accepting. 

The main contribution of the paper is to extend the above construction to 
general formulas. As an example we consider the formula ip = G(aUb), which 
has the normal form (b A Xip) V (a A X(aUb A -0)). Note here the formula True 
will be even not reachable. The most challenging part of the construction will 
then be identification of the set of accepting states. For this purpose, we identify 
subformulas that will be reached infinitely often, which we call looping formulas. 
Only some of the looping formulas contribute to the set of accepting states. 
These formulas will be the key to our construction: we characterize a set of 
atomic propositions for each formula, referred to as the obligation set. The set 
contains properties that must occur infinitely often to make the given formula 
satisfiable. In our construction, we add an additional component to the states 
to keep track of the obligations, and then define accepting states based on it - 
an illustrating example can be found in Section [2j 

Our construction for general formula has at most 2 2n+1 states with n de- 
noting the number of subformulas. The number of states for the Release/Until 



cases is bounded 2™ +1 . Recall the complexity of 2°^ [6] of the classical tableau 
construction. To the best of our knowledge, this is the first time that one can 
give a precise bound on the exponent for such construction. 

Related Work As we know, there are two main approaches to Biichi automata 
construction from LTL formulas. The first approach generates the alternating 
automaton from the LTL formula and then translates it to the equivalent Biichi 
automaton [T5]. Gastin et al. [5] proposed a variant of this construction in 2001, 
which first translates the very weak alternating co-Biichi automaton to gener- 
alised automaton with accepting transitions which is then translated into Biichi 
automaton. In particular, the experiments show that their algorithm outper- 
forms the others if the formulas under construction are restricted on fairness 
conditions. Recently Babiak et al. 1] proposed some optimization strategies 
based on the work [5]. 

The second approach was proposed in 1995 by Gerth et al. |6], which is called 
the tableau construction. This approach can generate the automata from LTL 
on-the-fly, which is widely used in the verification tools for acceleration of the 
automata-based verification process. Introducing the (state-based) Generalized 
Biichi Automata (GBA) is the important feature for the tableau construction. 
Daniele et al. [2] improved the tableau construction by some simple syntac- 
tic techniques. Giannakopoulou and Lerda [7] proposed another construction 
approach that uses the transition-based Generalized Biichi automaton (TGBA). 
And some optimization techniques |4|10j have been proposed to reduce the size of 
the generated automata. For instance, Etessami and Holzmann [3] described the 
optimization techniques including proof theoretic reductions (formulas rewrit- 
ten), core algorithm tightening and the automata theoretic reductions (simula- 
tion based). 

Organization of the paper. Section [2] illustrates our approach by a running 
example. Section[3]introduces preliminaries of Biichi automata and LTL formulas 
and then introduces the disjunctive-normal form for LTL formulas; Section [4] 
specifies the proposed DNF-based construction; Section [5] discusses how our 
approach is related to the tableau construction in [6j . Section [6] concludes the 
paper. 

2 A Running Example 

We consider the formula (fi — G(bUcAdUe) as our running example. The DNF 
form of ipi is given by: 

<pi = (c A e A X(ipi)) V (b A e A X(<p 2 )) V (c A d A X(<p 3 )) V (b A d A A(^ 4 ) 

where ip 2 = bile A G(bUc A dUe), p 3 = dl/e A G{bUc A dUe), tp 4 = bUc A dUe A 
G(bUcAdUe). It is easy to check that the above DNF form is indeed equivalent 
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Fig. 3. The Biichi automaton for the formula ipi. 



to formula tp±. Interestingly, we note that ipi, if2, tpa, V?4 all have the same DNF 
form above. 

The corresponding Biichi automaton for ipi is depicted in Fig. [3j We can see 
that there are four states in the generated automata, corresponding to the four 
formulas (fi{i — 1,2,3,4)- The state corresponding to the formula ip\ is also the 
initial state. The transition relation is obtained by observing the DNF forms: 
for instance we have a self-loop for state s\ with label c A e. If we observe the 
normal form of <pi, we can see that there is a term (cAeAX(<pi)), where there is 
a conjunction of two terms c A e and X(ipi), and if \ in X operator corresponds 
to the node s\ and cA e corresponds the loop edge for s\. 

Thus, the disjunctive-normal form of the formula has a very close relation 
with the generated automaton. The most difficult part is to determine the set of 
accepting states of the automaton. We give thus here a brief description of several 
notions introduced for this purpose in our running example. The four of all the 
formulas fi(i = 1,2,3,4) have the same obligation set, i.e. OS ipi = {{c,e}}, 
which may vary for different formulas. In our construction, every obligation in 
the obligation set of each formula identities the properties needed to be satisfied 
infinitely if the formula is satisfiable. For example, the formulas <fi{i — 1,2,3,4) 
are satisfied if and only if all properties in the obligation {c, e} are met infinitely 
according to our framework. Then, a state consists of a formula and the process 
set, which records all the properties that have been met so far. For simplicity, we 
initialize the process set P\ of the initial state s± with the empty set. For the state 
S2, the corresponding process set P2 = {e} is obtained by taking the union of Pi 
and the label {b, e} from si. The label b will be omitted as it is not contained 
in the obligation. Similarly one can conclude P3 = {c} and P4 = {true}: here 



the property true implies no property has been met so far. When there is more 
than one property in the process set, the {true} can be erased, such as that in 
state s 3 . Moreover, the process set in a state will be reset to empty if it includes 
one obligation in the formula's obligation set. For instance, the transition in the 
figure s 2 - — > Si is due to that P[ = P 2 U {c} = {c, e}, which is actually in 
OS ipi . So P[ is reset to the empty set. One can also see the same rule when the 



Through the paper, we will go back to this example again when we explain 
our construction approach. 

3 Biichi Automaton, LTL and Disjunctive Normal Form 

3.1 Biichi Automaton 

A Biichi automaton is a tuple A = (S, S, 5, Sq, F), where S is a finite set of 
states, S is a finite set of alphabet symbols , 8 : S x S — > 2 s is the transition 
relation, So is a set of initial states, and F C S is a set of accepting states of A. 

We use w, wq e E to denote alphabets in S, and r\, rjo G S* to denote finite 
sequences. A run £ = wqW\W2 ... is an infinite sequence over E u . For £ and k > 1 
we use £ fc = WqW\ . . . Wk-i to denote the prefix of £ up to its fcth element (the 
k + 1th clement is not included) as well as ^ to denote the suffix of WkWk+i ■ ■ ■ 
from its (k + l)th element (the k + 1th element is included). Thus, £ = £ fe £fc- For 
notational convenience we write £0 = £ arj d £° = e (e is the empty string). The 
run £ is accepting if it runs across one of the states in F infinitely often. 

3.2 Linear Temporal Logic 

We recall the linear temporal logic (LTL) which is widely used as a specification 
language to describe the properties of reactive systems. Assume AP is a set of 
atomic properties, then the syntax of LTL formulas is defined by: 



where a G AP, (p is an LTL formula. We say <p is a literal if it is a proposition or 
its negation. In this paper we use lower case letters to denote atomic properties 
and a, /?, 7 to denote propositional formulas (without temporal operators), and 
use ip, ip, 1?, /j, v and A to denote LTL formulas. 

Note that w.l.o.g. we are considering LTL formulas in negative normal form 
(NNF) - all negations are pushed down to literal level. LTL formulas are inter- 
preted on infinite sequences (correspond to runs of the automata) £ € with 
S = 2 AP . The Boolean connective case is trivial, and the semantics of temporal 
operators is given by: 

— £ |= ipi U <f2 iff there exists i > such that & |= ip2 and for all < j < 




ip ::= a | \ ip A ip \ tp V ip | ip Up \ p R p \ X <p 



- ^ |= i^i i? (^2 iff cither & N 952 for all i > 0, or there exists z > with 
£j |= A 952 an d £j 1= <P2 for all < j < i; 

- S\=x<pmSi\=<p. 

According to the LTL semantics, it holds ipRtp = -i(-xpU-«p). We use the 
usual abbreviations True = a V ~^a, Fa = Truella and Ga = Fa\seRa. 

Notations. Let ip be a formula written in conjunctive form ip = /\ ieI <p>i such 
that the root operator of ipi is not a conjunctive: then wc define the conjunctive 
formula set as CF((p) := {pi \ i £ I}. When ip does not include a conjunctive as 
a root operator, CF{ip) only includes (p itself. For technical reasons, we assume 
that CF(True) = 0. Our construction requires that every atoms (properties) in 
the formula can be varied from their positions. For example, for the formula 
alia - we should consider the two of as are identified syntactically differently, 
similarly for the formula aU^a. 

3.3 Disjunctive Normal Form 

We introduce the notion of disjunctive-normal form for LTL formulas in the 
following. 

Definition 1 (disjunctive- normal form). A formula <p is in disjunctive-normal 
form (DNF) if it can be represented as ip := Vi( a i A Xipi), where on is a finite 
conjunction of literals, and ipi = /\ (p ij where <p>i j is either a literal, or an Until, 
Next or Release formula. 

We say en A Xcpi is a clause of ip, and write DNF(ip) to denote all of the 
clauses. 

As seen in the introduction and motivating example, DNF form plays a cen- 
tral role in our construction. Thus, we first discuss that any LTL formula ip can 
be transformed into an equivalent formula in DNF form. The transformation is 
done in two steps: the first step is according to the following rules: 

Lemma 1. 1. DNF(a) = {a A A(True)} where a is a literal; 

2. DNF(Xip) = {True A X(ip)}; 

3. DNF(ip 1 Up 2 ) = DNF(ip 2 ) U DNF(ipi A X(ip 1 Utp 2 )); 

4. DNF(ip 1 RL P2 ) = DNF(ipi A (p 2 ) U DNF((p 2 A X{p l Rip 2 )); 

5. DNF(ipi V ip 2 ) = DNF^) U DNF(ip 2 ); 

6. DNF((piAp 2 ) = {(aiAa 2 )AA(?AiAV2) | Vi = 1,2. an AX (fa) G DNF(ip l )}; 

All of the rules above are self explained, following by the definition of DNF, 
distributive and the expansion laws. What remains is how to deal with the 
formulas in the Next operator: by definition, in a clause on A X(pi) the root 
operators in ipi cannot be disjunctions. The equivalence X(piVip 2 ) — XipiVXip 2 
can be applied repeatedly to move the disjunctions out of the Next operator. The 
distributive law of disjunction over conjunctions allows us to bring any formula 
into an equivalent DNF form: 



Theorem 1. Any LTL formula ip can be transformed into an equivalent formula 
in disjunctive-normal form. 



In our running example, we have DNF(tpi) = DNF(p 2 ) = DNF(tp 3 ) = 
DNF{ip A ) = {c A e A X{p x ),b A e A X{p 2 ),c A d A X{p z ),b Ad A Xipi)}. Below 
we discuss the set of formulas that can be reached from a given formula. 

Definition 2 (Formula Expansion). We write ip ip iff there exists a A 
X(ip) € DNF(p). We say ip is expandable from ip, written as ip ip, if there 
exists a finite expansion ip ipi ip 2 . . . ip n = ip. Let EF(ip) denote the 
set of all formulas that can be expanded from p. 

The following theorem points out that \EF(X)\ is bounded: 

Theorem 2. For any formula X, \EF(X)\ < 2™ +1 where n denotes the number 
of subformulas of X. 

4 DNF-based Biichi Automaton Construction 

Our goal of this section is to construct the Biichi automaton Ax for A. We 
establish a few simple properties of general formulas that shall shed insights 
on the construction for the Release-free (Until-hee) formulas. We then define 
the labelled transition system for a formula. In the following three subsections 
we present the construction for Release-free {Until-free) and general formulas, 
respectively. 

In the remaining of the paper, we fix A as the input LTL formula. All formulas 
being considered will vary over the set EF(X), and AP will denote the set of all 
literals appearing in A, and £ = 2 AP . 

4.1 Transition Systems for LTL Formulas 

We first extend formula expansions to subset in S: 

Definition 3. For uj e U and propositional formula a, to \= a is defined in 
the standard way: if a is a literal, uj \= a iff a e u), and uj \= a\ A a 2 iff 
uj \= ax A uj |= a 2 , and uj \~ a\ V a 2 iff uj \= a\ V uj \= a 2 . 

We write <p ip if p A- ip and w \= a. For a word n = uj uJi..ujk, we write 

<p ^> ip iff <p ^ i>i ^ V>2 ^ ••V'fe+i = i>- 

For a run £ G E u , we write p — > p iff £ can be written as £ = r]or]ir] 2 . . . such 
that r\i is a finite sequence, and ip p for all i>0. 

Below we provide a few interesting properties derived from our DNF normal 
forms. 

Lemma 2. Let £ be a run and X a formula. Then, for alln> 1, £ 1= A A — > 
p A £„ 1= p. 



Essentially, £ |= A is equivalent to that we can reach a formula ip along the 
prefix £" such that the suffix £ n satisfies (p. The following corollary is a direct 
consequence of Lemma [2] and the fact that we have only finitely many formulas 
in EF(X): 

Corollary 1. I/£ 1= A, then there exists n > 1 such that A — > <pA£ n ^ <p>/\ip — > 
99. On £/ie other side, if A — > ip A£ n \= (f A(f 95, i/ien £ 1= A. 

This corollary gives the hint that after a finite prefix we can focus on whether 
the suffix satisfies the looping formula if, i.e,. those ip with ip <->• ip. From Defini- 
tion[2]and the expansion rules for LTL formulas, we have the following corollary: 

Corollary 2. If A A ZioWs and A =/= True, i/ien i/iere is at least one Until or 
Release formula in CF(X). 

As we described in previous, the elements in EF(X) and its corresponding 
DNF-normal forms naturally induce a labelled transition system, which can be 
defined as follows: 

Definition 4 (LTS for A). The labelled transition system TS\ generated from 
the formula X is a tuple (£, S, 5, So): where E = AP, S = EF{X), So = {A} and 
S is defined as follows: ip € 5(ip,oj) iff ip — > ip holds, where ip, ip € EF(X) and 
lu G S. 

4.2 Biichi automata for Release/Until- free Formulas 

The following lemma is a special instance of our central theorem [4j It states 
properties of accepting runs with respect to Release/Until-free formulas: 

Lemma 3. 1. Assume X is Release-free. Then, £ 1= A <^> 3n ■ X — > True. 

2. Assume X is Until-free. Then £ 1= A 3n, ■ X — > ip A (p ^> (p. 

Essentially, If A is Release-free, we will reach True after finitely many steps; If A 
is Until-free we will reach a looping formula after finitely many steps. The Biichi 
automaton for Release-free or Until-free formulas will be directly obtained by 
equipping the LTS with the set of accepting states: 

Definition 5 (A\ for Release/Until-free formulas). For a Release/Until- 
free formula X, we define the Biichi automaton A\ = (S, S, S, So, F) where 
TS\ = (S, S,5, Sq) . The set F is defined by: F — {True} if X is Release-free 
while F = S if X is Until-free. 

Notably, True is the only accepting state for A\ when A is Release-free while 
all the states are accepting ones if it is Until-free. 

Theorem 3 (Correctness and Complexity). Assume X is Until-free or 
Release-free. Then, for any sequence £ € S u , it holds £ N A iff £ is accepted 
by A\. Moreover, A\ has at most 2 n+1 states, where n is the number of subfor- 
mulas in X. 



Proof. The proof of the correctness is trivial according to Lemma K?| 1) if A is 
Release-free, then every run £ of A\ can run across the True-statq^] infinitely 

often iff it satisfies 3n > • A True, that is, £ h A; 2) if A is Until-free, then 

£ 1= A iff 3n, tp ■ A — > <p A ip — ^> ip, which will run across yj-state infinitely often 
so that is accepted by A\ according to the construction. 
The upper bound is a direct consequence of Theorem [2| 

4.3 Central Theorem for General Formulas 

In the previous section we have constructed Biichi automaton for Release-free or 
Until-free formulas, which is obtained by equipping the defined LTS with appro- 
priate accepting states. For general formulas, this is however slightly involved. 
For instance, consider the LTS of the formula ip — G(bUc A dUe) in our running 
example: there are infinitely many runs starting from the initial state si, but 
which of them should be accepting? Indeed, it is not obvious how to identify the 
set of accepting states. In this section we present our central theorem for general 
formulas aiming at identifying the accepting runs. 




Fig. 4. A snapshot illustrating the relation £ \= X 



Assume the run £ = wo^i • • • satisfies the formula A. We refer to A(= ipo) 
ipi — ^> ip2 . ■ ■ as an expansion path from A, which corresponds to a path in the 
LTS TS\, but labelled with propositional formulas. Obviously, £ |= A implies 
that there exists an expansion path in TS\ such that Ui (= cti for all i > 0. 
As the set EF(X) is finite, we can find a looping formula ip — ipi that occurs 
infinitely often along this expansion path. On the other side, we can partition 
the run £ into sequences £ = 770771 . . . such each finite sequence rji is consistent 
with respect to one loop ip <p along the expansion path. This is illustrated 



4 In this paper we use yj-state to denote the state representing the formula ip. 



in Figure [4] The definition below formalizes the notion of consistency for finite 
sequence: 

Definition 6. Let rj = luquji . . . u n (n > 0) be a finite sequence. Then, we say 
that rj satisfies the LTL formula tp, denoted by r\ \=f tp, if the following conditions 
are satisfied: 

— there exists tpo — <P <Pi ■ ■ • fn+i = V" such that u>i |= on for 
< i < n, and with S := Uo<j<n CF(ocj), it holds 

1. if tp is a literal then tp £ S holds; 

2. if tp is (piUtp2 or tp\Rtp2 then S \=f <p>% holds; 

3. if tp is tpi A ip2 then S \= f tp ± A S \= f tp 2 holds; 
4- if ip is ipi V ip2 then S |=/ tp-y V S |=/ p>2 holds; 
5. if p is Xip2 then S \=f ip2 holds; 

This predicate specifies whether the given finite sequence rj is consistent 
with respect to the finite expansion ipo — p — % tp± — . . . — ^ <p> n -\-i = ip. The 
condition \= on requires that the finite sequence rj is consistent with respect to 
the labels along the finite expansion from ip . The rules for literals and Boolean 
connections are intuitive. For Until operator ipiUp2, it is defined recursively by 
S \=f <p>2- as to make the Until subformula being satisfied, we should make sure 
that ip2 holds under S. Similar, for release operator ipiRp> 2 , we know that (p\hp2 
or p2 plays a key role in an accepting run of p>\R<p>2- Because tp± A ip2 implies 
<P2, and with the rule (4) in the definition, we have S \=t p\Rp2 = S |=/ P2- 
Assume ip = Xip2- As CF(True) is defined as 0, we have r) \=f <p iff rj \=f p>2 
with rj' — uj\U2 ■ ■ ■ uj n - 

The predicate |= f characterizes whether the prefix of an accepting run con- 
tributes to the satisfiability of A. The idea comes from Corollary [l] Once <p 
is expanded from itself infinitely by a run £ as well as £ |= tp, there must be 
some common feature each time tp loops back to itself. This common feature 
is what we defined in \=t. In our running example, consider the finite sequence 
rj = {b, d}{b, d}{c, e} corresponding to the path S1S4S4S1: according to the defi- 
nition r] \=f tpi holds. For rj = {b, d}{b, d}{b, d}, however, rj Y=f tp\. 

With the notation \=f, we study below properties for the looping formulas, 
that will lead to our central theorem. 

Lemma 4 (Soundness). Given a looping formula p and an infinite word 
let £ = ?ji?72 If\/i>l-tp tp A rji |= f tp, then £ 1= tp. 

The soundness property of the looping formula says that if there exists a 
partitioning £ = 771 772 - • - such that tp expends to itself by each 77^ and rji \=f tp 
holds, then £ |= tp. 

Lemma 5 (Completeness). Given a looping formula tp and an infinite word 
if tp tp and £ 1= tp holds, then there exists a partitioning JJi7j2 • • • for £, i.e. 
£ = V1V2 ■ ■ ■• such that for all i > 0, tp ^4 tp A rji \=f tp holds. 



The completeness property of the looping formula states the other direction. 

If tp (p as well as £ |= ip, we can find a partitioning 771/72 • ■ ■ that makes <p 
expending to itself by each rji and rji \=f ip holds. Combining Lemma 6, Lemma 
7 and Corollary 1, we have our central theorem: 

Theorem 4 (Central Theorem). Given a formula A and an infinite word 
we have 

£ 1= A 3<p, n ■ A — > ip A 3£„ = 771772 . . . • Vi > 1 • (p — ^> <p A 77* \=f (p 

The central theorem states that given a formula A, we can always extend it 
to a looping formula which satisfies the soundness and completeness properties. 
Reconsider Figure |4j formula A extends to the looping formula ip by £™ , and £ n 
can be partitioned into sequences 771772 .. .. The loops from ip correspond to these 
finite sequences 77^ in the sense 77, (= / (p. 

4.4 Biichi automata for General Formulas 

Our central theorem sheds insights about the correspondence between the ac- 
cepting run and the expansion path from A. However, how can we guarantee the 
predicate \=f for looping formulas in the theorem? We need the last ingredient 
for starting our automaton construction: we extract the obligation sets from LTL 
formulas that will enable us to characterize |= / . 

Definition 7. Given a formula tp, we define its obligation set, i.e. OS v , as 
follows: 

1. Ifcp=p, OS v = {{p}}; 

2. If<p = Xip, OS v = OS^; 

3. Iftp = ih.Vifa, OS v = OSfr U OS^ 2 ; 

I Iftp = ipi A V% OS v = {Si U S 2 I Si £ OS^ AS 2 e OS^}; 
5. If tp — ipiUip 2 or ipxRfa, OS v = OS^ 2 ; 

For every element set O G OS v , we call it the obligation of tp. 

The obligation set provides all obligations (elements in obligation set) the 
given formula is supposed to have. Intuitively, a run £ accepts a formula ip if £ 
can eliminate the obligations of (p. Take the example of G(aRb), the run (6) w 
accepts aRb, and the run eliminates the obligation set {{6}} infinitely often. 

Notice the similarity of the definition of the obligation set and the predicate 
|=/. For instance, the obligation set of tpiR(p% is the obligation set of p 2 , which 
is similar in the definition of \=f. The interesting rule is the conjunctive one. For 
obligation set OS v , there may be more than one element in OS v . However, from 
the view of satisfiability, if one obligation in OS^ is satisfied, we can say the 
obligations of ip is fulfilled. This view leads to the definition of the conjunctive 
rule. For ^A^, we need to fulfill the obligations from both ipi and 7/^2, which 
means we have to trace all possible unions from the elements of OS J p 1 and OS^ 2 . 
For instance, the obligation set of G(aUb A cU(dV e)) is {{b,d},{b,e}}. The 
following lemmas gives the relationship of |=/ and obligation set. 



Lemma 6. For all O £ OS v , it holds O \—f ip. On the other side, S |=/ <p 
implies that 30 £ OS v ■ O C S . 

For our input formula A, now we discuss how to construct the Biichi automa- 
ton ,4 a- We first describe the states of the automaton. A state will be consisting 
of the formula <p and a process set that keeps track of properties have been 
satisfied so far. Formally: 

Definition 8 (states of the automaton for A). A state is a tuple (<p,P) 
where ip is a formula from EF(X), and P C AP is a process set. 

Refer again to Figure [4] reading the input finite sequence r\\ , each element 
in the process set Pi corresponds to a property set belonging to AP, which 
will be used to keep track whether all elements in an obligation are met upon 
returning back to a p-staie. If we have Pi — 0, we have successfully returned 
to the accepting states. Now we have all ingredients for constructing our Biichi 
automaton Ay. 

Definition 9 (Biichi Automaton .4a)- The Biichi automaton for the formula 
X is defined as A\ = (£, S, S, So, J 7 ), where £ — 2 AP and: 

— S — {(ip, P) | ip G EF(X)} is the set of states ; 

— Sq = {(A, 0)} is the set of initial states; 

— J- = {(p,$) | tp £ EF(X)} is the set of accepting states; 

— Let states Si,S2 with si = {<p\,Pi), s 2 = (^27^2) an d w C 2 AP . Then, 
S2 £ S(si,oj) iff there exists ipi ip 2 with co \= a such that the corresponding 
P2 is updated by: 

1. P 2 = if 30 £ OS V2 ■ O C P x U CF(a), 

2. P 2 = Pi U CF(a) otherwise. 

The transition is determined by the expansion relation <pi ip 2 such that 
uj \= a. The process set P 2 is updated by Pi U CF(a) unless there is no element 
set O £ OS V2 such that Pi U CF(a) D O. In that case P 2 will be set to and 
the corresponding state will be recognized as an accepting one. 

Now we state the correctness of our construction: 

Theorem 5 (Correctness of Automata Generation). Let A be the input 
formula. Then, for any sequence £ £ , it holds £ N A iff £ is accepted by A\ . 

The correctness follows mainly from the fact that our construction strictly ad- 
heres to our central theorem (Theorem H. 

We note that two very simple optimizations can be identified for our con- 
struction: 

— If two states have the same DNF normal form and the same process set P, 
they are identical. Precisely, we merge states s\ = (<px, Pi) and s 2 — (ip 2 , P 2 ) 
if DNF(pi) = DNF(tp 2 ), and Pi = P 2 ; 



— The elements in the process set P can be restricted into those atomic propo- 
sitions appearing in OS v : Recall here ip £ EF(X). One can observe directly 
that only those properties are used for checking the obligation conditions, 
while others will not be used so that it can be omitted in the process set P. 

Now we can finally explain a final detail of our running example: 

Example 1. In our running example state s\ is the accepting state of the au- 
tomaton. It should be mentioned that the state s 2 = (<P2, {e}) originally has an 
edge labeling cA d to the state (</?3,0) according to our construction, which is a 
new state. However, this state is equivalent with s\ = ((pi, 0), as (p\ and tp^ have 
the same DNF normal form. So these two states are merged. The same cases 
occur on state s 3 to state Si with the edge labeling b A e, state s 2 to state s 2 
with the edge labeling b A d and etc. After merging these states, we have the 
automaton as depicted in Figure [3] 

Theorem 6 (Complexity). Let X be the input formula. Then the Biichi au- 
tomaton Ax has the upper bound 2 2n+1 , where n is the number of subformulas 
in X. 

The number of states is bounded by 2 n+1 • 2l Ap l < 2 2n+1 . Recall in the 
construction AP is the set of atomic prepositions appearing in A, thus \AP\ is 
much smaller than n in general. We remark that the first part 2™ +1 is much 
smaller in practice due to equivalent DNF representations. Indeed, it can be 
reduced to 2 dn -^ A ) +1 where dnf(X) denotes the number of equivalence classes 
of EF(X) induced by equivalent DNF representations. In our running example, 
all of the formulas have the same DNF normal form, thus this part is equal to 
2 1+1 = 4. On the other side, the second part 2^ AP ' can be further reduced to 
the set of atomic propositions that appear in the obligation sets: in our running 
example this is |{c, e}\. 

5 Discussion 

In this section, we discuss the relationship and differences between our proposed 
approach and the tableau construction. 

Generally speaking, our approach is essentially a tableau one that is based 
on the expansion laws of Until and Release operators. The interesting aspect 
of our approach is the finding of a special normal formal with its DNF-based 
labeled transition system, which is closely related to the Biichi automaton under 
construction. The tableau approach explicitly expands the formula recursively 
based on the semantics of LTL formulas while the nodes of the potential au- 
tomaton are split until no new node is generated. However, our approach first 
studies the LTL normal forms to discover the obligations we have to fulfill for 
the automaton to be generated, and then presents a simple mapping between 
LTL formulas into Biichi automata. 

The insight behind our approach is adopting a different view on the accepting 
conditions. The tableau approach focuses on the U nti^-operator. For instance, to 



decide the accepting states, the tableau approach needs to trace all the Until- 
subformulas and records the "eventuality" of tp in ipUtp, which leads to the 
introduction of the Generalized Biichi Automata (GBA) in tableau approach. 
However, our approach focuses on the looping formulas, which potentially consist 
of the accepting states. Intuitively, an infinite sequence (word) will satisfy the 
formula A iff A can expand to some looping formula ip which can be satisfied 
by the suffix of the word removing the finite sequence arriving at ip. The key 
point of our approach is to introduce the static obligation set for each formula 
in the DNF-based labeled transition system, which indicates that an accepting 
run is supposed to infinitely fulfil one of the obligations in the obligation set. 
Thus, the obligation set gives the "invariability" for general formulas instead of 
the "eventuality" for [/nii^-formulas. In the approach, we use a process set to 
record the obligation that formula ip has been satisfied from its last appearance. 
Then, we would decide the accepting states easily when the process set fulfills 
one obligation in the obligation set of ip (We reset it empty afterwards). One 
can also note our approach is on-the-fly: the successors of the current state can 
be obtained as soon as its DNF normal form is acquired. 

The most interesting part is that, our approach can give a more precise 
theoretical upper bound for the complexity of the translation when comparing 
to the tableau framework (Theorem [6J). And a better one can be acquired when 
the formulas are restricted into Release- free or Until-free (Theorem [3]). 

6 Conclusion 

In this paper, we propose the disjunctive-normal forms for LTL formulas. Based 
on the DNF representation, we introduce the DNF-based labeled transition sys- 
tem for formula A and study the relationship between the transition system and 
the Biichi automata for A. Thus, a simple but on-the-fly automata construction 
is achieved. When the formula under construction is Release/Until-frcc, our con- 
struction is very straightforward in theory, and leads to at most 2™ +1 states. In 
the general way, our approach gives a more precise bound of 2 2n+1 compared to 
the one of 2°^ for tableau construction. 
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A Proofs 



A. 1 Proof of Theorem Q] 

Let tp be a formula tp — Vie/ sucn that the root operator of tpi is not a 
disjunctive: then we define the disjunctive formula set as DF(tp) := {tpi \ i 6 /}. 
When tp does not include a disjunctive as a root operator, DF(tp) only include 
tp itself. 

Proof. We first can directly use the rules in Lemma[l]to generate an intermediate 
normal form for tp, whose format is Vi( a i A Xtpi) where aj is an prepositional 
formula and tpi is an LTL formula without any constraint in Definition [T] We 
denote the set of this intermediate normal form of the formula (p as DNFi(ip); 

Second we prove any intermediate normal form can be changed to the 
disjunctive-normal form. Intuitively, one can easily find for each on and <pi the 
corresponding DF(cti) and DF(ipi) can be obtained trivially. Then we can get 
the final disjunctive-normal form through the following two steps: 

1. DNF 2 (tp) = {a 4 A Xip | a A Xip e DNF\(ip) A a, £ DF(a)}; 

2. DNF(ip) = {a A Xipi \ a A Xip € DNF 2 ((p) A ^ <= DF(i>)}. 

A.2 Proof of Theorem E] 

Let n be the number of subformulas in A. Moreover, let cZ(A) be the set of 
subformulas in A and True, so obviously |c/(A)| = n + 1. Before the proof we 
introduce two lemmas first. 

Lemma 7. Let a A Xip £ DNF(tp), then CF(ip) C d(». 
Proof. We prove it by structural induction over tp. 

— Basic step: If tp is the case of the literal p, then since p = p A XTrue, so 
obviously CFXTme) C d(v?). 

— Inductive step: If the formulas ipi (i — 1 , 2) satisfy a A Xip & DNF(ipi) 
CF(ip) C d(^i), then: 

1. If tp = (/Si V t/92, we know cl(tp) = cl(tp\) U cl(tp 2 ) U {</?i V tp 2 }. According 
to Lemma [l]5 we have a A Xip e DNF(tp) ^ a A Xip e DNF(tpi) U 
DNF(tp 2 ), then by induction hypothesis we have CF(ip) C d(<^i) U 
d(<^ 2 ), so CF(V) C d(»; 

2. If 93 = X<^i, we know d(</?) = cl{tpi) U {Xcpi}. According to Lemma[l]2 
we have a A Xip € DNF(tp) => ip = tp x , so CF(V>) C d(y>i) C c/(<^); 

3. If</3 = tpiAtp 2 , we know cl(tpiAtp2) = {( f 5 1 A(/52}Ud((/Ji)Ud((/?2)- According 
to Lemma [T]6 we know a A Xip <E DNF(tpi A tp 2 ) 3a\ A Xipi e 
DNF(tpx), a 2 A Xtp 2 <E DNF(tp 2 ) ■ a = a± A a 2 A tp = ipi Aip 2 - Then by 
induction hypothesis we have CF{ipi) C d(</?i) and CF(ip 2 ) C cl(tp 2 ), 
so CF(^) C d(<£i) U CZO2) C d(</?i A tp 2 ); 



4. If (p = ipiU(f2, we know cl(ipiUip2) = cl(ipi) U d(<£>2) U {^l^^}- Ac- 
cording to Lemma [l]3 if a A X-0 G DNF(ip 2 ) then OF(0) C d(<p 2 ) 
directly by induction hypothesis, else if a A Xtj) G {a A X(i/>i A ipiU<p2) \ 
a A € DNF(ipi)} then by induction hypothesis we have CF(ip) = 
CFtyx) U {(^it/^} C c/^x) U {^1^2} C diviUtpt); 

5. If y = cpiRcp2 one can also prove in the similar way that a A Xip G 
DNF{ip) =*> OF(0) C d(</?). 

Lemma 8. Let G £F(y>) then CF{tjj) C d(p); 

Proof. We prove it by induction over the number of steps that can be reached 
from ip. 

— Base step: If a A Xtp G DNF(p) then according to Lemma [7] we know 
CF(ip) C cl(v»). 

— Induction step: If 3<p — > tpx — > 2 — > ■ ■ ■ 4>k = where k > 1 and CF(ip) C 
d(y>) hold, then according to Lemma[7]we know for all ^ € CF(ip) we have 
/?AI/i G DNF(v) =► CF(/i) C d(i/} C d(y?). Then according to Lemma[l}6 
we know Va A X?// G DNF(ip) ■ CF(ip') C d(^) holds. That is, if V can be 
reached from in fe steps and CF(ip) C d(y) holds, then any 0' can be 
reached from <p in k + 1 steps also has CF(ip') C cl(ip). 

Now come to prove Theorem [2] From Lemma [8] we know for all -0 G EF(X) 
if /i G CF(ip) then we have /x G d(A). So the elements number in CF(ip) can 
not exceed the number of d(A), i.e. \CF(ip)\ < |d(A)|. Thus |£F(A)| < 2l d ( A )l = 
2™ +1 . 

A. 3 Proof of Lemma HI 

We first prove the first part of the lemma by induction over the formula (p. 

— Basic step: If ip = p, then OS v — {{p}}, and {p\, \=f p obviously true. 

— Inductive step: If for the formulas ipi (i — 1, 2), VO G OS^ i ■ O \=f ipi holds. 
Then we have: 

1. If ip = Xipt, then OS v = OS^. Since for each O in OS v , the predicate 
0\=fp = 0\=fipi according to its definition, and since OS v = OS i p 1 
so O G OS^ 1 . Then by induction hypothesis we know O (=/ ip\ holds 
thus O \=f p holds. 

2. If ip = 0x V 2 , then OS v = OS^ U OS^ 2 , so we know VO G OS v ■ 

O G OS 4n V O G osv Then since \=f V = \=f V'i v O h/ </>2, 
and by induction hypothesis O \=f ip\ holds when O G OS 1 p 1 while 
O |=/ 2 holds when O G 05^ . Due to O G OS 01 V O G 0S^ 2 so 
O |=/ <y5 = O |=/ 0i V O |=/ 02 is true. 

3. If ip = <0i A 2 , then 0S V = {Si U S 2 | Si G OS^ A S 2 G OS^J. 
Then VO G OS^BSi G OS^,S 2 G OSv, 2 • O = Si U S 2 . By induction 
hypothesis that Si |=/ ipi and S2 |=/ 02 are true, thus O |=/ ip = 
Si U S 2 h/ 0i A Si U S 2 h/ ^2 holds. 



4. If tp = tfjiUfa, then OS v = OS^, 2 . Since for each O in OS v O \=f tp = 
O \=f ip2, and by induction hypothesis O \=f tp? holds, so O \=f tp also 
holds. Similarly one can prove the situation when tp — ipxRip 2 and we 
omit it here. 

We then prove the second part of the lemma also by induction over the 
formula ip. 

— Basic step: If ip — p, then OS v — {{p}}, and S|=/p=!>peS. So obviously 

10 G OS, • () S. 

— Inductive step: If for the formulas ipi {i = 1, 2), S \=f ipi 3(9, e OS^ O C 
S holds. Then we have: 

1. If ip — Xipi, then we know OS^ = OS^ 1 and S \=f tp = S \=f ip%. 
Since by induction hypothesis S \=f ipi =>■ 30 e OS^, 1 • O C. S, and 
05 v , i = 0S V , so O G OS^. Thus «5 |=/ <^ =>■ 30 G 05 v • O C S holds. 

2. If tp = ipi V i/>2 > then we have OS^ = OS 1 p 1 U OS,/,,, and S \=f tp = S \=f 
tpi V S \=f ip2- By induction hypothesis S |=/ 30 G OS,^ • O C 5 
and S \= f ijj 2 => 30 G OS 02 ■ O C S, so S (=/ </? =>> 30 G 0S V;i U 05^ 2 • 

C 5, in which OS^ U 05^ a is exactly 0S V . Thus 5 \= f tp =>■ 30 G 
OSV • O C 5 holds. 

3. 1£ tp = ipi A tp 2 , then 0S V = {Si U 5 2 | 5 X G OS , 01 A S% £ 0S V , 2 }. Since 
S |=/ 93 = S ^/ ipi A S |=/ ^2, and by induction hypothesis we have 
S \= f tpi => 30, G OS iH ■ Oi C S, where i = 1, 2, so 5 |=/ tp =>• 30 = 

01 U 2 • O C S. Obviously O G 0S V , so S \= f ip => 30 G 0S V • O C S 
holds. 

4. If tp = %piUip2, then we know OS v = OS^ 2 and O |=/ ^ = O \—f ip 2 - 
By induction hypothesis O \=f ip 2 => 30 G OS 1 ^ ■ O C S, and since 
OSV = ° 5 ^2 so is also in 0S V . Thus 5 | =/ 1/3 =>■ 30 G 0S V • O C 5 
holds. Similarly one can prove the case when tp — ipiRip 2 and we omit it 
here. 

A. 4 Proof of Lemma ||| 

There are some other lemmas need to be introduced before we prove this lemma. 

Lemma 9. p G cl{v) A v G c/(^t) ^ p = v. 

Proof. According to the definition of cZ, it is definitely true. 

Lemma 10. tp ^ <ys =>• 3p G CF(tp) ■ cl{p) n CF(tp) = {pi}. 

Proof. For each in CF{tp) let S M = cZ(/z) D CF(tp), then we know easily S^ 2 
{/x}. If V/i G CF(tp) ■ Sfj_ D {/i}, then we know 3/ii G S M and ^ p. Since /ii 
is also in CF(tp), then according to the assumption 3/i 2 G SV^ and p% pi. 
Moreover according to Lemma [9] p 2 ^ p also holds. However for it is also in 
CF(tp) and has at least one subformula ^3 in CF(tp) and p% 7^ P2— Infinitely 
using this will cause CF(tp) be an infinite set - that is obviously impossible. So 
this lemma is true. 



Lemma 11. tp «-> ^ =>■ VV A <^3^ G CF(tp) ■ (// A True V /i A /x). 



Proof. According to Lemma 10 we know 3/i G CF((p) ■ n CF(tp) — {fi}. 
Then we know for such \jl it will meet and only meet fj, True V \i — > when 
each tp ^ tp holds. 

Lemma 12. If tp ^ tp, then there exists So C S\ C . . . C S n = CF(tp)(n > 0) 
smc/i t/ia£ V/i G Soitp A- (y5 • /i True V /x — » /x, and /or i > 1 we ftawe V/i G 
SiVy —^tp-/j,—^fjf and CF(fi') C Si_i U {/Lt}. 



Proof. From Lemma 11 we know S 7^ 0. Then let Si = S U {// | /i G CF(ip) A 



V(/3 — > • /x — > /x' A CF(ji') C So U {^}}- Si D So holds for the same reason with 
So that 3/x G CF(tp) ■ cl(fi) n CF(tp) = So U {/x}, and such /xs can be added into 
Si. Inductively we can find the set S n — S n _i U{/x | /i G CF(ip) A V</? tp- n 
// A CF(//) C S„_i U {/x}} (n > 1). Since S„ D S„_i and |CF(</>)| is limited 
and V? > • Sj C CF(tp), so we can finally find S n = CF(tp). 
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Fig. 5. A demonstration of Lemma [T2| 



A demonstration of this lemma is shown in Figure [5] In this case, CF(tp) = 
{ipo, ipi, <Pk} and ip — > tp holds. Then according to Lemma 12 there exists tp 
so that tp -A True V tp — > tp holds. Moreover, for Si = S U {tpi} we have 
tp A- tp' and CF(tp') C So U {yi}. Note that including Sj_i there can be more 
than one formulas added into Si at the same time: see tpi and tps in S2. This 
property for the looping formula plays a key role in the proofs in the following. 



Lemma 13. 



V> A S |=/ ip SU CF(a) |=y (p. 



Proof. We prove it by induction over the formula tp. 



— Basic step: If tp = p, then we know DNF(ip) — {p A XTrue}. So tp tp 
p € CF(a) A C*F(a) \= f True. Thus 5 U CF(a) h/ V is true. 

— Inductive step: Assume tpi(i — 1,2) meet <pi — ^> r/>j A Sj |=/ Si U 
CF{oti) \=f (fi, then we have: 

1. If tp = Xcpi, then we know DNF(ip) = {True A X(<pi)}. If 5 \= f tp x 
holds, then since S U CF(True) \=f tp = S |=/ tpi, so S \=f ip holds. 

2. If ip = tp 1 V y>2, then we know DNF(tp) = DNF(<fi) U DNF(p 2 ), that 
is, VaAX^e DNF(ip) ■ a A € DNF(tpx) U DNF(a 2 ). If S \= f ip 
holds then by induction hypothesis we have tpi(tp 2 ) A-'0A5|=/V- , = ;> 
SUCF(a) (y> 2 ), which indeed implies SLlCF(a) \=f ip according to 
the definition of h/ (Definition §). So tp A i/)A5 |=/ ^ SUCF{a) \= f 

3. If ip = ipi A tp 2 , then we know Va A Xip G DNF(tp) there exists a, 
and = 1:2) so that a = a± A a 2 and ip = fa A i/^ as well as 
ai A X^i G DNF((px) and a 2 A AV> 2 € DNF(p 2 ). If S {= f ip holds, 
then 5* \=t fa(i — 1,2) hold. By induction hypothesis we have ipi 
faAS \=ffa^ SUCF( ai ) \= f <pi(i = 1, 2), so SUCF( ai )UCF(a 2 ) \= f 
•px A <p 2 holds. Thus 5 U CF(a) \= f tp. holds. 

4. If tp = ipiU(p 2 , then we know for each a A Xip € DNF(ip), it is either in 
DNF(tp 2 ) or 3a A X^i G DNF(tpi) and ip = fa A tp. Ti S \= f ip holds 
then S 1 |=y y obviously holds when ip = fa A p. Thus S U CF(a) \=f tp 
holds. And if a A Xip G DNF(<p 2 ) by induction hypothesis we have 
S 1 U CF{a) \= f tp 2 = S U CF(a) (=/ p directly. 

5. If tp = tpiRtp 2 , then we know for each a A Xip G DNF(ip), it is either in 
DNF(pi A tp 2 ) or 3a A Xip 2 G DNF(ip 2 ) and -0 = fa A p. If 5 \= f ip 
holds then we have proven S \—f tp holds when aAXip G DN F(p\ Atp 2 ). 
And if ip = ip 2 A tp then S \=f ip obviously makes S U CF(a) \=f tp hold. 

Lemma 14. Let = <p *Pi <p2 ■ ■ ■ <Pn+i — ip an d T = 
1J 0< j< n otj. IfS\=fip then S UT \=f tp holds. 



Proof. According to Lemma 13 we know tp n — ^ tp n +i = ipAS\=fip^SU 



CF(a n ) \=f tp n holds. Inductively using Lemma 13 we can finally prove this 
lemma is true. 

Lemma 15. If tp tp., then V/i G UCF(p) '(lA/i'A^ CF{p!) <&7)\=f tp: 
here UCF(tp) C CF[tp) and each /u, in UCF(p) is the Until formula. 

Proof. Let tp tp = (tp = p ipi — ^> . . . <yS/c+i = </?(^ ^ 0)) an( i the set 
T = Uo<j<fc a i' w h ere a j A Xtpj + i G DNF(tpj) A u)j N aj holds. 



From Lemma 12 we know there exists So C 5i C . . . C S„ = CF(p)(n > 



0)such that V/i G Sotfp tp ■ /j, True V // — > /i, and for i > 1 we have 
V/i G SiVp ^ tp-fj,^ n' and CF(^) C 5,_iU{/i}. For each /i in So, if M True 



then according to Lemma 14 we have T |=/ /j, holds; And if p, /i since /i is not 



an Until formula, so /z is a Release formula. For the Release formula [i — v\Rv 2 
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wc 



we know every time fj, fi implies v 2 True. Thus according to Lemma 
have T \— f v 2 holds and then T \=f fi holds according to its definition. So we 
prove now V fx G So • T |= y fi. Inductively, for i > 0, if fi G 5", and fi A // where 
CF(fi') C Si-i, and since we have proven T \=f fi' then according to Lemma 
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we know T \=f fi holds. Else if fj, — > fi' A fi G CF(fi'), then according to the 
assumption we know fi must be the Release formula, so for fi = v\FLv 2 we have 
v 2 A v' where CF(v') C S^. Since we have proven T \=f v' then according 
to Lemma 14 we have T \=f v hold also. Then according to the definition of \=f 



we know T \=f fi holds. Thus we can prove V/i G S n — CF(ip) -T \=f fi, that is, 
T \= f ip holds. Moreover since ip ip is true thus according to the definition of 
|=/ (Definition [6]) we know 7/ \—f ip holds. 

(<=) If 3/i G UCF(ip) ■ (i — > // A /z G CF(fi'), then according to the expansion 
rule fi = v\XJv 2 — v 2 V v\ A X{v\Uv 2 ) we can conclude 7/ \=f v 2 never holds, 
which makes rf \=f ip not hold. So the lemma is true. 

Lemma 16. If ip is a Realse formula, then ip — > (p =£- £ 1= (p. 

Proof. Let ip — fiRv. Since <p — > <p, so we have 3n ■ tp ip A ip — ^> <p. Let 
£ n = uj ui . . .uj n and r\i — . . .uj n (0 < z < n). Thus we can easily know 

V0 < i < n ■ v — > True, which makes V0 < j < n ■ £j F z/. Inductively for ip — > <p 
we can get the same conclusion. So Vj > we have £ N v, which makes £ 1= <p 
according to the LTL semantics. 

Now we begin to prove Lemma [4] 

Proof. From Lemma 12 we know there exists So C S\ C . . . C S n = CF(ip)(n > 
0)such that V/i G SqV<p <p ■ fi True V fi fi, and for i > 1 we have 
V/i G Stfip ^> ip ■ /i ^> // and CF(/z') C U {/z}. 

Basically for each fi in So, if 3/i True holds, then since V0 < j < v/i — ^» /i 
so we have V0 < j < i • £' = iljVj+i ■ ■ ■ ^ Mi And if Vz > ■ fi — ^ /i, since 



?7i |=y y> ^> 77^ \=f (i, and according to Lemma 15 we know fi cannot be an Until 
formula. Then according to Corollary [2] we can know /i is a Release formula. 



Also we have /i -^4 /i, and according to Lemma 16 we know Vi > • fj, /i plus 
is a release formula implies Vi > • ^' = 77^+1 . . . N /i. So first we can prove 
V/i G SoVi > ■ r)iT]i + i . . . h /i. 

Inductively for the set S n +i(n > 0), if 3/i G S n +i \ S tt Vi > • fj, ^ fi' A 
CF(fi') C 5„, then from the basic step we know rji + ir]i + 2 . . . t= /x' so rji7]i + i ... 1= 
/x. Moreover, we also have V0 < j < i -J]£]j+i . . . N /x. If Vi > • /i ^> // A/j£ 
CF(fjf), similarly according to Lemma 15 and Corollary [2] we know /i must be a 
Release formula. Let /z = v\Po>i and we know Vz > • v 2 v' A CF(v') C 5„. 
We have proven 77^+177^+2 ■ ■ ■ 1= so we have Vi > • 77^77^+1 ... 1= t^- Then 
according to the LTL semantics we have Vi > • 77^+1 ... 1= /i. So we can prove 
now V/i G Sn+iVi > ■ rjirji+i ...!=//. 

So finally we can prove the set S n — CF(ip), V/i G SViVi > • 77^7/^+1 . . . 1= /i. 
Thus V/i G SnVi > • 77i?7i+i . . . t= /i implies £ N </j. 



A. 5 Proof of Lemma [5] 
Lemma 17. £ 1= ip =>• 3n ■ £" |=/ (p. 

Proof. We prove it by induction over the size of formula <£>. 

— Basic step: If 95 = p, then £ 1= ip =>■ p G So according to Definition [6] we 
know £ |=^' (/3 is true. 

— Inductive step: Assume for the formulas </5i (i = 1,2) we have £ N ipt 
3?i-£ n ^/ ^ hold. Then 

1. If = Xipi, then £ N =>■ £1 \= ipi- By induction hypothesis we know 
3w • £1™ |=/ <fii holds, so £™ +1 ip also holds. 

2. If ip = (fx A if2, then fNip^^N^^^N <y9 2 . By induction hypothesis 
we know Brii ■ £ ni \=f pi and 3n 2 • £™ 2 H/ ^2 hold, so we can conclude 
3n > max(ni,ri2) ■ £" (=/ y holds. 

3. If = (^1 V ip2, then £N<y9=>£l=</?iV£h(y92. By induction hypothesis 
we know 3ni • £ ni |=/ <£>i or ■ £" 2 \=f <P2 hold, so we can conclude 
3n = ni V n = n,2 • £™ |=/ ¥> holds. 

4. If ^ = <p\Uip2, then £ 1= p\Up2 => 3i > • £j 1= </?2- By induction 
hypothesis we have 3n • |=j ^2 hold, so from Definition [6] we have 
C+ n \= f ip hold. 

5. If ip = ip\Rip2, then £ N ip\Rtp2 =>■ Vi > • £j 1= <^2- So £ N ^2 holds. 
Then By induction hypothesis we know 3n • £™ |=^ y>2 and according to 
Definition [6] we know £ n \=f p also holds. 

Lemma 18. p-^pA£\=ip^>3n-p — > ip A |=/ A (95 <ys A £„ N ip). 

Proof. We first prove </3-^>(/3A£l=(^=>3n-< ( 5 — > pA£ n \=f ip. If Vrt • </? — > <p A 
-i(£ ra \=f ip), we can conclude Vi < n-^(£ l |=j y>), thus causing the contradiction 

with Lemma [17] Moreover, since ip -4> ip A p — > p A £ \= ip, so ip (p A£ n \= ip 
is also true. So this lemma is true. 

To prove Lemma [5] we can use Lemma [18] inductively, and obviously it is 
true. 

A. 6 Proof of Theorem [U 

Proof. (=£-)• According to Corollary [lj and Lemma [5] we know it is true. 
(-4=). According to Corollary [if and Lemma ETit is true. 

A. 7 Proof of Theorem [U 

Lemma 19. Let £ = ujqloi . . . and A\ the Biichi automaton for A generated by 
DNF-based construction. Then ipQ = A tpi — 4> . . . — ^—"4 ip n holds, where 
ipi € EF(X), if and only if there is a corresponding path So — ^ Si — ^ . . . — — — - > 
s„ m ,4 a where each Sj is t/ie ipi-state. 



Proof. We prove it by induction over n. 

1) . When n = 1, if tp\ G DNF(X), then according to our construction directly 
we know for tpo = A — ^> tpi, if and only if there is a so — ^> si where s^ is the 
7/Vstate and A — ^ ipi- 

2) . When n = k, k > 1 we assume tpo = A — ^> . . . fc 1 > ^fe if and only 
if there is a corresponding path so — ^> si — ^ . . . — — -> s^ where for fc > i > 
each Si is the 7/Vstate in Then for tpo = A t/>i — ^ . . . k l > tpk — ^> V'fe+i 
holds, we know if and only if 3a^ A Xtpk + i G DNF(%pk) A Wfc (= afc holds from 
Definition [2j According to the construction we know 3ak A V'fe+i € DNF(ipk) A 
^fc |= if and only if there is a Sfc — » Sfe+i where Sk+i is V'fc+i -state. So it 
is true that ipo = A t/>i — ^» . . . t-1 > ^fc V'fc+i if an d only if there is a 
so — ^> si ■ ■ ■ k l > Sfc — ^> Sk+i in -4a- The proof is done. 

Now we come to prove Theorem [4] 

Proof. (<=) Let £ = wo^i ... be an accepting run of A\, and we want to prove 
that £ |= A. Let a := sq si — i> ... be the corresponding path accepting £. 
Thus, inf(a) contains at least one accepting state s £ F. Assume s = (<£>, 0). 
Since there exists a finite path sq — )■ si > S2 . . . — )■ S71+1 = 

s, where 



each Si is the i/^-state. According to Lemma 19 we know A = ip — ^> <p\ — h 
if2 ■ ■ ■ — ^ (fn+i = P> holds. Then we know 3£„ = 771772 ... so that for each 
r)i = Lo la uj tl . . . uji n (i, n > 1) we have s 4o = s s h — ^ . . . s in+1 = s, of 

we know each 
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which for simplicity we denote as s s. According to Lemma 
time s — ^ s holds ip <p also holds (s is the <£>-state). Moreover, according 
to our construction and Lemma [6] we know 77^ \=j ip holds. Finally according to 
Theorem [4] we can conclude £ N A. 

(=^) Let £ = wo^i . . . and £ N A, we now prove there is an accepting run 

sq si — h- ... in „4,\. From Theorem [4] we know £ 1= A 3ip3n ■ A 
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ip A (3£„ = 7/1 772 . . . • Vi > 1 • i/3 — ^> (p A r/i \=t tp). According to Lemma 
we can find an infinite path a = sq — ^> Si — ^ . . . — s ... in .4a 
on which £ can run. Here so is the A-state and s is the tp-state, and for each 
rji = oj^oj^ . . . L> in (i, n > 1) we have s io = s s h s i2 . . . ^> s in+1 = s, 
of which for simplicity we denote as s —4- s. Let Sj.(n + 1 > j > 0) be the ipi.- 
state, and the set T = Uo<fc<n a «f= where each a>i k satisfies 3oti k A X(ipi k+1 ) e 
DNF{ipi k ) A uji k |= aj fc . Since T \=f ip holds so according to Lemma [6] we know 
30 £ OS v -OCT. Moreover, our construction guarantees for each s — ^ s there 
is Sj, = (y>i-,P}(0 < j < n) so that P = 0. Since such states with the format 
of (—,0) is finite, so there must be such a state in inf(a). Finally we prove the 
theorem is true. 



